AlienVault® USM Anywhere™

VPC Traffic Mirroring with an Amazon Web Services (AWS) Sensor

With Amazon Web Services (AWS) Virtual Private Cloud (VPC) Traffic Mirroring, all traffic from your AWS environment can be mirrored and sent directly to your sensor for monitoring, bringing network intrusion detection system (NIDS)Network Intrusion Dectection System (NIDS) monitors network traffic and events for suspicious or malicious activity using the sensors that provide management and network monitoring interfaces to networks and network devices. functionality to your AWS Sensor.

Preparing Your Environment for VPC Traffic Mirroring

To enable VPC Traffic Mirroring, you must first ensure that:

  • Your instance is at least an m5.xlarge
  • VPC Traffic Mirroring for AWS Sensors is only available on Nitro-based instances.
  • Your instance has a second network interface configured, called the traffic interface
  • Your firewall rules allow virtual extensible local area network (VXLAN) traffic through your traffic interface (inbound UDP 4789 is applied)
If you select Enable Traffic Mirroring when you first deploy (or redeploy) the sensor, these requirements are automatically set up for you. Otherwise, you must make all three of these changes manually.

Configuring VPC Traffic Mirroring

To run AWS VPC Traffic Mirroring in your environment, you must create and configure the following:

  • Create a target: This target serves as the destination for your mirrored traffic.
  • Define a mirror filter: The mirror's filter specifies which traffic is mirrored for your AWS Sensor.
  • Create the mirror session: This session configures precisely how your traffic is mirrored.

To create a target

  1. Go to Networking & Content Delivery > VPCin your AWS Management Console and click Mirror Targets under Traffic Mirroring.
  2. Click Create traffic mirror target.
  3. Enter the following:
    • (Optional.) Name tag: A name for this target
    • (Optional.) Description: A description of this target
    • Target Type: This value must be Network Interface
    • Target: The identification (ID) of your instance's traffic interface
  4. (Optional.) If you use tags to organize your AWS resources, you can add tags to this target.

  5. Click Create.

To define the mirror filter

This filter defines what traffic is mirrored to your AWS Sensor. You can specify inbound and outbound filters, as well as applying filters for Amazon Network services.

  1. Go to Networking & Content Delivery > VPCin your AWS Management Console and click Mirror Filters under Traffic Mirroring.
  2. Click Create traffic mirror filter.
  3. (Optional.) Enter the following information:
    • Name tag: A name for your traffic mirror filter
    • Description: A description for your traffic mirror filter
    • Network services: Select this checkbox to have your filter mirror network services data
    • Click "Create Mirror Filter" to define a filter for your VPC Mirror

  4. If you want your filter to capture Domain Name System (DNS) traffic, you must select the amazon-dns checkbox.
  5. Configure your inbound and outbound filtering rules.
    1. Click Add rule.
    2. Use the options provided to define these rules:
      • Number: Priority settings to order which rules are evaluated before others.
      • Rule Action: Specify the action (accept or reject) to take for the filtered packet.
      • Protocol: Specify one protocol to collect, or select All protocols to collect all traffic.
      • (Optional.) Source Port Range: Specify the source port range you want to filter.
      • (Optional.) Destination Port Range: Specify the destination port range you want to filter.
      • Source CIDR Block: Specify the source IP ranges you want to filter.
      • Destination CIDR Block: Specify the destination IP ranges you want to filter.
      • (Optional.) Description: A description for this filtering rule.
  6. (Optional.) If you use tags to organize your AWS resources, you can add tags to this filter.
  7. Click Create.

To create a session

You must create one mirror session per device.
  1. Go to Networking & Content Delivery > VPCin your AWS Management Console and click Mirror Sessions under Traffic Mirroring.
  2. Click Create traffic mirror session.
  3. Enter the following information:
    • (Optional.) Name tag: A name for your traffic mirror session
    • (Optional.) Description: A description for your traffic mirror session
    • Mirror Source: The network interface ID of the instance you want to monitor
    • Mirror Target: The ID of your instance's traffic interface
    • Session Number: Priority settings to order which sessions are evaluated before others
    • VNI: Set this to 1169
    • (Optional.) Packet length: The number of bytes from each packet to mirror
    • AT&T Cybersecurity recommend leaving this blank to mirror the entire packet.
    • Filter: The filter you have created for your VPC Traffic Mirroring session
  4. (Optional.) If you use tags to organize your AWS resources, you can add tags to this session.
  5. Click Create.